Monitoring systems were looking for attacks using technique popularized by the NSA.

Share this story

Huawei MateBook systems that are running the company's PCManager software included a driver that would let unprivileged users create processes with superuser privileges. The insecure driver was discovered by Microsoft using some of the new monitoring features added to Windows version 1809 that are monitored by the company's Microsoft Defender Advanced Threat Protection (ATP) service.

First things first: Huawei fixed the driver and published the safe version in early January, so if you're using a Huawei system and have either updated everything or removed the built-in applications entirely, you should be good to go.

Microsoft Defender ATP does not rely solely on signature-based endpoint antimalware to detect known threats; it also uses heuristics that look for behavior that appears suspicious, even if no particular malware has been identified. Windows itself notices certain actions taken by software and reports them to the Defender ATP cloud service, and machine learning-based algorithms look for anomalies in these reports.

DOUBLEPULSAR provides a way for a compromised kernel driver to run code in user mode. It works by copying some code into the memory of a privileged process that's already running and then directing the system to execute that code by sending an APC to the process. APCs ("asynchronous procedure calls") are a way to temporarily direct a thread to stop running the function it's running. Instead, they switch to running a different function; when that different function finishes, the thread resumes the original function from where it left off.

APCs are used internally by the operating system for certain I/O operations: instead of having to wait for the system to read or write a file, Windows has a system whereby the read or write operation can be started without waiting, with an APC used to indicate that the read or write has finished.

This requires a pair of back-to-back operations that the kernel can detect: the allocation of some memory within a running process, followed by the kernel sending the process an APC that references that newly allocated memory. Either operation on its own is of little interest, but the two happening together, with the APC using the memory, is indicative of a DOUBLEPULSAR-style attack. Windows 10 version 1809 included sensors to record these kernel operations that are known to be useful for malware.

When legitimate software and malware are indistinguishable

Further investigation revealed that on this particular occasion, it wasn't malware that was injecting and running code in a user process; it was a Huawei-written driver. Huawei's driver was supposed to act as a kind of watchdog: it monitored a regular user mode service that's part of the PCManager software, and if that service should crash or stop running, the driver would restart it. To perform that restart, the driver injected code into a privileged Windows process and then ran that code using an APC—a technique lifted straight from malware.

Why Huawei chose this approach is not immediately clear, as Windows has as a built-in feature the ability to restart crashed services. There's no need for an external watchdog.

The Huawei driver did make some attempts to ensure that it would only communicate with and restart Huawei's own service, but improper permissions meant that even an unprivileged process could hijack the driver's watchdog facility and use it to start an attacker-controlled process with LocalSystem privileges, giving that process complete access to the local system.

Microsoft's researchers then continued to look at the driver and found that it had another flawed capability: it could map any page of physical memory into a user process, with both read and write permissions. With this, the user process can modify the kernel or anything else, and as such it, too, represents a gaping flaw.

While there is, of course, an element of the sales pitch around Microsoft's public description of what it found and how it found it—it shows that Defender ATP can indeed yield relevant and valuable data—this example does a good job of showing how Microsoft is using the regular Windows 10 updates to boost defense in-depth measures and how cloud-based analytics can provide insights that would otherwise be hard to come by. It also highlights just some of the extraordinarily awful things that hardware vendors do when they're tasked with writing software. When your hardware vendors are opening up big security flaws and copying malware techniques, one wonders if we need protection from the good guys as well as the bad ones.

I'm suspicious. Sure there are developers who have no idea what they're doing and may pull something crazy like this. But it coming from China, and Windows being able to restart services since forever just strikes me as really, really strange.

So my question is how did this driver pass WHQL certification, do they not already include checks for known bad security patterns in the driver qualification testing? If not, is there a plan to add such testing? Because catching this once the driver is already out in the wild is a bit of barn door closing.

I'm sick of seeing reviews (https://arstechnica.com/gadgets/2019/01 ... rformance/) for Huawei consumer devices that don't mention their close ties to Chinese military intelligence. How many times do we have to catch them 'mistakenly' installing drivers with backdoors, sending personal information from your machine back to servers in China, or doing other shady stuff before it at least deserves a mention when people are looking for advice?

This will come across as sounding facile perhaps, but this is one reason why I buy Surface devices or build my own PCs and never install the motherboard maker's software.

Microsoft already provides a mechanism by which manufacturer's can update their drivers, and soon, even their BIOS and firmware, as Surface does. More OEMs should use it, and spare us the need for incompetently written "management" software that generally duplicates functions that Windows already provides. There are plenty of other ways they can differentiate themselves and reinforce their branding, including by designing innovative hardware and offering useful (but safe) apps through the Microsoft Store.

Because until Defender ATP was looking for this odd combination of calls there was no test to fail.

The whole question is a red herring! Yet people ask questions like this all. the. time.

Review, audit, certification: these are not techniques designed or intended to catch every mistake. Trying to prove correctness, security or non-maliciousness by using what's essentially a bit of commonsense and experience is absurd; blaming the auditors just invites cover-your-ass behavior.

An audit works best if the auditee and auditor are cooperative and constructive (i.e. not defensive!), and from a good audit you might conclude with reasonable likelihood that the publisher is known and appears to be making a real effort to follow best practices that hopefully avoid most common issues.

That's it.

And that's huge! But it's also not even close to any kind of guarantee. Asking for it to be one simply means people are going to stick to the trivial claims and end up simply ticking all the boxes in an entirely unhelpful but noncontroversial fashion.

But if instead you want auditors to tell publishers for many thousands of dollars that their(*) software(**) does not contain(***) known(****) malware(*****), then by all means, we should all be demanding blood from anybody that certified software that contained a bug.

(*) auditor only certified software as provided, which may or may not differ from the software currently being used, and didn't verify code marked as third party.(**) only the software, not hardware or any other kind of ware.(***) software analysis restricted to static; dynamically loaded code was not verified(****) using the OEWSM best practice-10-year-old malware list(*****) including anti-DRM circumvention devices, but excluding rootkits, RATs, keyloggers because somebody who pays us claims those have valid usages.

I'm sick of seeing reviews (https://arstechnica.com/gadgets/2019/01 ... rformance/) for Huawei consumer devices that don't mention their close ties to Chinese military intelligence. How many times do we have to catch them 'mistakenly' installing drivers with backdoors, sending personal information from your machine back to servers in China, or doing other shady stuff before it at least deserves a mention when people are looking for advice?

I agree 100%. It seems so many people will say it was a mistake but how many mistakes before it becomes a clear pattern of spyware? I am getting tired of this behavior and the people that give them a free pass. /r

Does anyone legitimately think this was just a mistake? How come almost all of the "mistakes" with exploit containing drivers and bundleware are from Chinese companies? This is 100% a back door for the Chinese government, they just put enough extra in there to get plausible deniability. Remember, this isn't a normal security hole, this is software that's explicitly using NSA grade exploits and claiming they are doing it to monitor a service, which is absurd.

I'm sick of seeing reviews (https://arstechnica.com/gadgets/2019/01 ... rformance/) for Huawei consumer devices that don't mention their close ties to Chinese military intelligence. How many times do we have to catch them 'mistakenly' installing drivers with backdoors, sending personal information from your machine back to servers in China, or doing other shady stuff before it at least deserves a mention when people are looking for advice?

I agree 100%. It seems so many people will say it was a mistake but how many mistakes before it becomes a clear pattern of spyware? I am getting tired of this behavior and the people that give them a free pass. /r

Kind of how every Facebook mistake accidentally reveals too much information rather than cuts it off...

I'm suspicious. Sure there are developers who have no idea what they're doing and may pull something crazy like this. But it coming from China, and Windows being able to restart services since forever just strikes me as really, really strange.

It's the new GS programming paradigm. You do a Google Search on how to do something, copy and paste the code, rename the variables, import half the Internet in libraries to use one method and ship it.

I'm sick of seeing reviews (https://arstechnica.com/gadgets/2019/01 ... rformance/) for Huawei consumer devices that don't mention their close ties to Chinese military intelligence. How many times do we have to catch them 'mistakenly' installing drivers with backdoors, sending personal information from your machine back to servers in China, or doing other shady stuff before it at least deserves a mention when people are looking for advice?

It would be fascinating to see the country of origin of the downvotes on this one.

Does anyone legitimately think this was just a mistake? How come almost all of the "mistakes" with exploit containing drivers and bundleware are from Chinese companies? This is 100% a back door for the Chinese government, they just put enough extra in there to get plausible deniability. Remember, this isn't a normal security hole, this is software that's explicitly using NSA grade exploits and claiming they are doing it to monitor a service, which is absurd.

Stop buying electronics from these Chinese government run companies.

I'm glad I'm not the only one thinking that about the Chinese government's involvement in "approved" businesses. I know a lot of folks think the U.S. government is being overly reactionary in banning Huawei's products from government systems, but the Chinese government doesn't let anything happen in their country without a plan involved (and hasn't since the Cultural Revolution). When companies go off script, the government generally imprisons, or executes, those responsible.

These are not the actions of a country who wants to play nice with others.

Given the turn of events with respect to trade with China, it's probably wiser to source your connected electronics from South Korea or Japan (Taiwan is still a question mark, but would likely be safer than anything Mainland Chinese).

The trouble is that these days, with an integrated global economy (albeit less functionally so these days), finding out where components may have been sourced is probably going to be next to impossible. And so many OEM's just send out the specs to a Chinese factory and get chips back that do what they want (as well as what the Chinese government might want).

When nation/states get involved in corporate espionage to the point that China has done so, it's a fool's errand to trust them on any level. It sucks balls, yes, but what China is trying to do sucks even more.

And yet I see people criticizing the US government for claiming Huawei sell compromised products. They ask for proof. Well here it is. This isn't the first time we've seen it either.

Using the same strategy as well documented malware isn't a coincidence and do you think restarting a service is the only thing their "management" software uses that technique for? Of course not. The only mistake here is that they got lazy and used it on something far more common and mundane which raised the chances they would get caught significantly.

They claim they have patched it. I don't see any reason to believe them. Their idea of patching it could mean they have changed to a different technique to obfuscate their malicious behavior better.

I love how so many people are jumping to the conclusion that this is a backdoor installed by the Chinese government. Possible? Sure, but Occam's Razor states that sloppy coding practices are more likely to blame.

If it is a government backdoor, however, that would be ironic given that the techniques employed were first demonstrated in malware by the NSA.

I'm sick of seeing reviews (https://arstechnica.com/gadgets/2019/01 ... rformance/) for Huawei consumer devices that don't mention their close ties to Chinese military intelligence. How many times do we have to catch them 'mistakenly' installing drivers with backdoors, sending personal information from your machine back to servers in China, or doing other shady stuff before it at least deserves a mention when people are looking for advice?

It would be fascinating to see the country of origin of the downvotes on this one.

I downvoted. I'm from Serbia and I think the xenophobia people seem to have towards Chinese tech is absurd. Huawei has done some shady stuff but there's numerous examples of American companies putting backdoors in their products as well. Microsoft has very close ties to the US Department of Defense (not to mention their involvement in PRISM) and Cisco leaves backdoors in their routers.

So if you want these things to be mentioned in Huawei's reviews, then I'd argue things like Asus letting backdoors slip through their update system should be mentioned too.

Sloppy coding practices would be using this method as a lazy way to restart a monitored process from a kernel driver. That could've come about by coincidence, no copying necessary.

However, the NSA was the first entity to demonstrate how these two OS facilities in conjunction could be employed by malware. If China were deliberately employing this as a malware technique, that would likely be where they learned about it. Which would in turn imply that US consumers have fallen victim to a technique divulged to the Chinese government by a US government agency tasked with national security. And that would be ironic.